This lab discloses sensitive information via its version control history. To solve the lab, obtain the administrator's password. Then, log in as
administrator and delete Carlos's account.
/.gitto reveal the lab's Git version control data.
wget -r https://your-lab-id.web-security-academy.net/.git. Windows users will need to find an alternative method, or install a UNIX-like environment, such as Cygwin, in order to use this command.
"Remove admin password from config".
admin.conffile. Notice that the commit replaced the hard-coded admin password with an environment variable
ADMIN_PASSWORDinstead. However, the hard-coded password is still clearly visible in the diff.